Federal prosecutors say they have have extradited one of the leaders of an international crime ring accused of hacking in to bank card processor RBS WorldPay and stealing more than $9.4m in a 12-hour period.
Sergei Tsurikov, 26, of Tallinn, Estonia, was recently brought to the US, after being arrested in Russia in March. On …

Errrr.

eh??

"They allegedly exploited a vulnerability to break into the company's network, where they retrieved payment card data as it was being processed." --- 2 issues with this, firstly how did they break in? Surely RBS Worldpay are PCI compliant so they should have adequate security controls in place to protect against these kind of attacks. If RBS Worldpay were PCI compliant and still got hacked, this places a big question mark over the worth and effectiveness of PCI compliance. Secondly, how did the intruders get the PIN numbers? PIN numbers are never (or at least should not be) stored or transmitted in clear text anywhere on a Banks network. So how did they obtain them?? All sounds a bit hazy on the details to me...

still hazy

Not necessarily low level technical detail, just "they used SQL injection" or "they exploited a vulnerability in an unpatched web service" or some other high level explanation. The reason this would have been beneficial is it would have highlighted that RBS Worldpay were PCI compliant and still got hacked, hence industry standards such as PCI do not provide adequate security against intruders. But we cannot make that statement because all the articles say are "they exploited a vulnerability" which is like saying "the hackers hacked it". Also, the PIN numbers point does not add up either. How did they get the PIN numbers?? No one seems to be able to explain this one. If they did get them from the inside the Banks network then either RBS worldpay has broken every rule for storing or transmitting PIN numbers or the hackers worked out a way to break the encryption. Neither sounds all that likely.

Detailed - why? It just needs to make logical sense.

No one is expecting a detailed description of the so-called hack and the fraud process. What one would expect, though, is for the sketchy details to make sense in the context of the banking operation. The problem is that they don't! The PIN question is an interesting on, even if you think it's unimportant because the details are hazy. Banks don't store PINs, they store PIN Offsets, so even if the crims got hold of the "PIN database" as you guys like to call it, and were able to decrypt it and extract the numbers, they wouldn't have the PINs.

The question is a sensible one. It's standard banking policy to store PIN offsets, not PINs. So, the question remains, where did the PINs come from?